Cui, Dexuan
2007-Dec-11 16:43 UTC
[Xen-devel] [HVM] Don''t invoke pt_{save/restore}_timer for one_shot timer
HVM guest can set vlapic timer to one-shot mode; in
vmx_asm_vmexit_handler -> do_softirq(), we may invoke pt_timer_fn() for
some timer T (T is used for some vlapic timer vpt and fires at this
time), hence T is removed from the timer_heap; soon after that, when we
remain in do_softirq(), we may invoke schedule() due to
SCHEDULE_SOFTIRQ, and the vcpu is switched out;
When the vcpu is switched in, in hvm_do_resume() -> pt_restore_timer(),
we use set_timer() to unconditionally add the fired T into the
timer_heap!
Next, in vmx_asm_vmexit_handler -> vmx_intr_assist() -> pt_intr_post(),
we "pt->enabled = 0";
Next, the guest may re-program the vlapic timer: vlapic_write() ->
create_periodic_time() -> set_timer(), so T is added into the timer_heap
again! And later, when we remove T from the timer_heap for the 2nd time,
we can crash Xen.
The issue can be reproduced easily on Woodcrest and Weybridge platforms
by installing 32-bit Fedora 7 with vcpus=8.
The patch fixes the issue by not invoking pt_{save/restore}_timer for
one_shot timer.
Signed-off-by: Dexuan Cui <dexuan.cui@intel.com>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
Keir Fraser
2007-Dec-12 11:09 UTC
[Xen-devel] Re: [HVM] Don''t invoke pt_{save/restore}_timer for one_shot timer
Dexuan, Please try xen-unstable changeset 16595 and see if that fixes the issue. You''ll need to take just that patch, or remove changeset 16594, as otherwise your IRQ routing fix will mask the issue. Thanks! Keir On 11/12/07 16:43, "Cui, Dexuan" <dexuan.cui@intel.com> wrote:> HVM guest can set vlapic timer to one-shot mode; in > vmx_asm_vmexit_handler -> do_softirq(), we may invoke pt_timer_fn() for > some timer T (T is used for some vlapic timer vpt and fires at this > time), hence T is removed from the timer_heap; soon after that, when we > remain in do_softirq(), we may invoke schedule() due to > SCHEDULE_SOFTIRQ, and the vcpu is switched out; > When the vcpu is switched in, in hvm_do_resume() -> pt_restore_timer(), > we use set_timer() to unconditionally add the fired T into the > timer_heap! > Next, in vmx_asm_vmexit_handler -> vmx_intr_assist() -> pt_intr_post(), > we "pt->enabled = 0"; > Next, the guest may re-program the vlapic timer: vlapic_write() -> > create_periodic_time() -> set_timer(), so T is added into the timer_heap > again! And later, when we remove T from the timer_heap for the 2nd time, > we can crash Xen. > > The issue can be reproduced easily on Woodcrest and Weybridge platforms > by installing 32-bit Fedora 7 with vcpus=8. > > The patch fixes the issue by not invoking pt_{save/restore}_timer for > one_shot timer. > > Signed-off-by: Dexuan Cui <dexuan.cui@intel.com>_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel